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We demonstrate that the framework of bounded quantum reference frames has application 
to building quantum-public- key cryptographic protocols and proving their security. Thus, 
the framework we introduce can be seen as a public-key analogue of the framework of 
Bartlett et al. pQ, where a private shared reference frame is shown to have cryptographic 
application. The protocol we present in this paper is an identification scheme, which, 
like a digital signature scheme, is a type of authentication scheme. We prove that our 
protocol is both reusable and secure under the honest-verifier assumption. Thus, we also 
demonstrate that secure reusable quantum-public-key authentication is possible to some 
extent. 

1 Introduction 

Since its inception, the focus of quantum cryptography has been on symmetric-key protocols, 
where Alice and Bob attempt to generate or are assumed to hold private shared correlations. 
Such correlations can usually be denned or encoded by a string of bits — the secret key - 
but Bartlett et al. [I] showed that they may also take the form of a private shared reference 
frame. Symmetric-key quantum protocols are usually unconditionally secure, meaning that the 
sole assumption is that (some part of) quantum theory is correct; however, Damgaard et al. 
[21 E] have investigated information-theoretically secure protocols in the bounded storage model, 
where an extra assumption is that the size of the adversary's quantum memory is limited. 

Going beyond the symmetric-key model, but retaining unconditional security, Gottesman 
and Chuang [I] introduced quantum-public-key cryptography — where the public keys are 
quantum systems, each of whose state encodes the (same) classical private key — by giving 
a secure one-time (digital) signature scheme for signing classical messages. The public-key 
framework eliminates the need for Alice and Bob to establish private shared correlations, which 
has practical advantages in large networks of users (where there may be many "Alices" or 
"Bobs"). 
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One aspect of quantum-public-key cryptography that sets it apart from classical public-key 
cryptography is that the necessary limit on the number of copies of the public key implies that 
not everyone can use the protocol; however, in practice, the maximum number of users (or 
uses) of any particular protocol can be estimated, and thus the parameters of the protocol can 
be adjusted so that the limit allows for this maximum. Increasing this limit would presumably 
result in a less efficient instance of the protocol, and this is one kind of tradeoff between 
efficiency and usability in the quantum-public-key setting. Another kind concerns reusability. 
For instance, the abovementioned signature scheme is "one-time" because only one message 
may be signed under a particular key- value, even though many different users can verify that 
one signature. If a second message needs to be signed, the signer must choose a new private key 
and then distribute corresponding new public keys. One open problem is thus whether there 
exist reusable signature schemes, where either the same copy of the public key can be used to 
verify many different message-signature pairs securely, or where just the same key- values can 
be used to verify many different message-signature pairs securely (but a fresh copy of the public 
key is needed for each verification). The latter notion of "reusability" is what we adopt here. 

Our work appears to be of a dramatically different character when compared to other 
explorations of quantum-public-key protocols [51 El El El E] : we demonstrate that the framework 
of bounded quantum reference frames [TU] has application to building such protocols and proving 
their security. Thus, the framework we introduce can be seen as a public-key analogue of the 
framework of Bartlett et al. [1] . 

The protocol we present in this paper is an identification scheme, which, like a signature 
scheme, is a type of authentication scheme. We prove that our protocol is both reusable 
and secure under the honest- verifier assumption (defined in the next section). Thus, we also 
demonstrate that secure reusable quantum-public-key authentication is possible to some extent. 

We now proceed with a description of our protocol (Section [2j) and the honest-verifier 
security proof (Section [3]). 

2 An identification scheme 

Suppose Alice generates a private key and authentically distributes copies of the corresponding 
public key to any potential users of the scheme, including Bob. The following is an intuitive 
description (adapted from Section 4.7.5.1 in Goldreich's book [TT]) of how a secure identification 
scheme works. If Alice wants to identify herself to Bob (i.e. prove that it is she with whom 
he is communicating), she invokes the identification protocol by first telling Bob that she 
is Alice, so that Bob knows he should use the public key corresponding to Alice (assuming 
Bob possesses public keys from many different people). The ensuing protocol (whatever it is) 
has the property that the prover Alice can convince the verifier Bob (except, possibly, with 
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negligible probability) that she is indeed Alice, but an adversary Eve cannot fool Bob (except 
with negligible probability) into thinking that she is Alice, even after having listened in on the 
protocol between Alice and Bob or having participated as a (devious) verifier in the protocol 
with Alice several times. An honest-verifier identification protocol is only intended to be secure 
under the extra assumption that, whenever Eve engages the prover Alice in the protocol, Eve 
follows the verification protocol as if she were honest. Note that no identification protocol 
is secure against a person-in-the-middle attack, where Eve concurrently acts as a verifier with 
Alice and as a prover with Bob. Note also that, by our definition of "reusable," an identification 
scheme is considered reusable if Alice can prove her identity many times using the same key- 
values but the verifier needs a fresh copy of the public key for each instance of the protocol. 

A summary of our protocol is as follows. Alice chooses a private phase reference and 
distributes a limited number of samples of her reference frame as quantum public keys. The 
samples are used by Bob to verify that the prover is actually Alice. Because Alice has a perfect 
phase reference, she can carry out the identification protocol with no error (assuming perfect 
quantum channels). But, because Eve only has a bounded quantum reference frame (in the 
form of a limited number of copies of the public key), she inevitably incurs an error that Bob 
can detect with sufficiently high probability. 

2.1 Protocol specification 

A typical identification protocol is a challenge-response interactive proof, consisting of a kernel 
that is repeated several times; each iteration uses different random local parameter-values 
chosen by Alice or Bob (in describing protocol parameters, we use "local" to describe parameters 
whose values change in each kernel-iteration, and "global" to describe parameters whose values 
are constant over the entire protocol instance). The number s of times that the kernel is 
repeated is a global security parameter. Thus, in our case, when the other global parameters 
of the scheme are fixed, the probability that Eve can break the protocol (in an honest-verifier 
setting) is exponentially small in s. 

The private key in our protocol will be an s-tuple 



where Xj is used only in the jth kernel-iteration. Alice chooses each Xj independently and 
randomly, from some discrete uniform distribution. We note that, throughout the paper, the 
variable "j" will be reserved for the kernel-iteration index. 

Corresponding to each Xj is a quantum state := \ip(xj)), via a fixed map x \—> \i/)(x)); 
we will sometimes write u \ip x )" for u \ip(x))" . The state of (one copy of) the public key in our 
protocol is denoted 
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Bob will use the jth subsystem of the public key (which is in the state only in the jth 
kernel-iteration. 

Now that we understand the global structure of the keys, we shall give the details of how 
every Xj and are chosen, usually dropping the subscript j (since the procedure is the same 
for all j). For the integer- valued, global parameter r > 0, Alice chooses the value x uniformly 
from {1,2, . . . , r + 1} and authentically distributes (e.g. via trusted courier) at most r copies 
of (a system in the state) (|0) + e 2nlx /( r + 1 ) \ This implicitly defines the fixed map above, 
that is, \i/j(x)) := |0) _|_ e 2 ' ria: /(H-i) |]^ ( we often omit normalization factors). Thus, by the above 
notation, 

|^.) = |0) + e 27r ^ /(r+1) |l>. (3) 

The parameter r is the reusability parameter, dictating the maximum number of secure uses of 
the scheme for a fixed public key. This completes the definition of the private and public keys. 
The kernel of our interactive protocol is the following three steps. For convenience, let 

<^:=27rx/(r + l). (4) 

We assume that all quantum channels are perfect. 

1. Bob creates |0) |1) + |1) |0), and sends one register of this system to Alice. 

2. Alice measures the received register in the basis {|0) ±e l ^|l)}. If the state of the register 
immediately after the measurement is |0) H-e*^^ 1 1) , then Alice sends "0" to Bob; otherwise, 
Alice sends "1". 

3. If Bob receives "1", then he applies the Pauli-Z gate 



Z :-- 



1 
-1 



(5) 



to the register that he kept in Step 1. Finally, Bob sWAP-tests^l this register with his 
authentic copy of \ip x ). 



3 The SWAP-test of two registers (labelled 2 and 3) in the states |£) 2 and |x) 3 is a measurement (with respect 
to the computational basis {|0) 1; ll)-^) of the control register (labelled 1) of the state 

(Hi ® h ® h)(c- SWAP 2>3 )(|0) 1 + |l) 1 )|e) 2 |x) 3 /v / 2, (6) 

where Hi is the usual Hadamard gate (applied to register 1) and c — SWAP2.3 is the controlled-SWAP gate. 
The probability that the state is |0) 1 immediately after the measurement — which corresponds to a pass — is 
(1 + I (Clx) I 2 )/ 2 - When the registers 2 and 3 are in the mixed states p and p', this probability is (1 + tr(pp'))/2. 
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After the kernel is repeated s times, Bob "accepts" if all the SWAP-tests passed; otherwise, 
Bob "rejects". It is clear that, when Alice and Bob are honest, the protocol is correct, that is, 
Bob always "accepts". To see this, note that, up to global phase, the state |01) + |10) equals 

(|0> + e^|l»(|0) + e^|l» - (|0> -e^|l»(|0> -e^|l». (7) 

As a final specification for the protocol, we also stipulate that Alice not engage in the 
protocol more than r times (when there are r copies of the public key in circulation) for a 
particular value of the private key. 

3 Honest-verifier security 

We now present the proof of security of the above protocol under the simplifying assumptions 
that (1) Eve, the adversary, never passively monitors any protocol instances between Alice and 
Bob, and (2) Eve never participates in the protocol as a verifier (Alice and Bob are always 
honest). We will show at the end of the paper (in Section 1X5]) how to modify the protocol so 
that it is secure under the proper honest-verifier assumption (where Eve is allowed to passively 
monitor as well as follow the verifier protocol honestly with Alice). 

Note that if Eve has t copies of the public key, then she has at most (r — t) chances to fool 
Bob, i.e., cause Bob to "accept". Most of the argument, beginning in Section I3TTI is devoted 
to showing that 

Pr[Eve fools Bob on first attempt, using t copies] (8) 
< (l-l/8(t+l)) s . (9) 

In general, Eve learns something from one attempt to the next; however, because Eve can 
simulate her interaction with Bob at the cost of using one copy of the public key per kernel- 
iteration, we have, for I — 2, 3, . . . , (r — t), 

Pr[Eve fools Bob on Ith attempt, using t copies] 
< Pr[Eve fools Bob on first attempt, using (t + I — 1) copies]. 
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Given this, we use the union bound: 



Pr[Eve fools Bob at least once, using t copies] 



r-t 



< 



y Pr[Eve fools Bob on Zth attempt, using t copies] 
1=1 



< 



r-t 

Pr[Eve fools Bob on first attempt, using (t + I — 1) copies] 

1=1 



r-t 



< £(l-l/8(t + Z)) 



s 



1=1 



< (r -t){l - 1/Sr) s . 



It follows that the probability that Eve can fool Bob at least once, that is, break the protocol, 



which, for fixed r, is exponentially small in s. 

We note that, for a secure protocol, one can use s G fi(r log(r)); this shows how the efficiency 
of the protocol scales with its reusability. 

The remainder of the proof establishes the bound in Lines ([H]) and 

3.1 Preliminary analysis 

Since each Xj is independently and randomly selected from the set {1, 2, . . . , r + 1}, then any 
information about the values of x^ for k ^ j will be of no help to Eve in (kernel-) iteration j. 
In other words, her probability of passing the SWAP-test in Step 3 with public key \ip{xj)) is no 
higher given any information about the values of Xk for k ^ j. In particular, the probability 
of passing the SWAP-test in iteration j conditioned on passing the SWAP-test in any other 
iteration can be no higher than the optimal probability of passing the SWAP-test in iteration 
j. In this section, we show that the probability of passing the SWAP-test for any particular 
iteration is at most 1 — l/8(t + 1), and thus the probability of passing all s swAP-tests is at 
most (1 - l/8(t + l)) s . 

Now, we show that, from Bob's and Eve's points of view, Alice's choosing the private phase 
angle <p x from the discrete set {2irx/ (r + 1) : x = l,2,...,r+l} is equivalent to her choosing 
the phase angle from the continuous interval [0, 27r). The only information that Eve (who is 
never allowed to act as verifier) and Bob have about <j) x comes from the r copies of \ip x )- They 



is 



^break < r(l - l/8r) s , 



(10) 
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describe the state of these r systems by the density operator 

, r+l 

+ e 2 ™ /(r+1) |1))((0| + e-^WCr+i) (!|))®r_ ( n ) 

r x=l 

Had X been chosen uniformly from {27ra;/ (r+l):i6[0,r + 1)} = [0, 2tt), they would describe 
the state by 

i- jT((|0) + e * |1»((0| + e"* (12) 
It is straightforward to show that the above two density operators are both equal to 

^EflV^i> ( 13 ) 



2 r ^ \w 

where \SQ is the normalized symmetric sum of all (J^j states in {|0), |l)} 0r whose binary labels 
have Hamming weight u>Q Thus, without loss, we may drop the subscript 'V on "0 X ", write 
"0" for Alice's private phase angle, and assume she did (somehow) choose <fi uniformly randomly 
from [0,2tt)@ 

3.2 Equivalence of assuming no shared reference frame 

Thus far, we have implicitly assumed that Alice, Bob, and Eve share a perfect phase reference 
(frame), in that all three are assumed able to implement the same (Hadamard) gate 



1 

7! 



i i 
i -i 



(16) 
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This requires the following two facts: (1) for any integer a, 



— e la6 d6 = { ° if a ^ ° ' (14) 
2n J 1 1 otherwise ; 



and (2) for any integer p > 2 and integer a: 

if a is not a multiple of p, 



(15) 
otherwise , 



where the second fact is applied at p = r + 1. 

5 Onc way to interpret this result is that even if Alice encodes infinitely many bits into cj>, it is no better than 
if she encoded |~log 2 (r + 1)] bits. Note that if Eve performs an optimal phase estimation [12] in order to learn 
4> and then cheat Bob, she can only learn at most Llog 2 (f — 1)J bits of (f> (here, we assume Eve has r — 1 copies 
of the public key, having left Bob one copy), whereas Alice actually encoded [log 2 (r + 1)] bits into 4>. 
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defined with respect to the common basis {|0) , |1)}. Now, we show that our protocol (where 
Alice chooses a private random 0) under this assumption is equivalent to a protocol (where 
Alice need not choose any random phase parameter) under a new assumption that Alice, Bob, 
and Eve have maximal ignorance about one another's phase reference. This is easily done in 
three steps: (1) first, we rewrite our protocol under the new assumption of no shared phase 
reference; (2) then, we note that the honest version of our protocol under the new assumption 
still works the same way as under the original assumption, but that Alice's private phase angle 
becomes redundant; (3) finally, we consider Eve's perspective, noting that her task of cheating 
looks the same as it did under the original assumption, and that, as far as she is concerned, 
is redundant. 

Each player can now be assumed to have his or her own perfect phase referenced Consider 
first Alice. Having her own perfect phase reference will mean for us that she has the system 
(|0) + \1))® Na for arbitrarily large Na and some a G [0, 27r)0 We assume Alice has 
maximal ignorance of the value of 0a; we have written the state of her phase reference from 
the perspective of a fictitious omniscient. With this setup, Alice's public-key-element is thus r 
copies of |0) + e i ^+^ |1). 

Bob has his own independent, perfect phase reference, defined analogously by 0#. He can 
still create |0) |1) + |1) |0) (up to global phase e"^ s ) in Step 1 of the kernel. In Step 2, Alice 
measures with respect to the basis {|0) ±e l ^ + ^ A ^\l)} and sends Bob "0" if she gets the outcome 
corresponding to "+" and sends "1" otherwise. Step 3 looks the same. It is easy to see that, 
when Alice and Bob are honest, our protocol under the new assumption works the same way 
as it did originally. Furthermore, is redundant, since it may be absorbed into 0a- 

Let us now consider Eve, whose independent and perfect phase reference is defined by 0£. 
We assume Eve gets a hold of t copies of the system |0) + e % ^ + ^ A ^ |1). Let |1') := e l ^ E |1) and 
let 0' := + a — 4>e- Thus, to summarize: Eve has t copies of |0) + e"^ for uniformly 
random (and unknown) 0' G [0,27r), and she has a perfect phase reference with respect to the 
basis {|0) , |1')}, and Alice performs a measurement in the basis {|0) ±e l( ^ Therefore, the 

situation for Eve is equivalent to that in our original protocol, and once again is redundant 
as it can be absorbed into 0a- 

For the remainder of the proof, we adopt the new assumption and protocol (where has 
been absorbed into 0a). To simplify the presentation, we take 0a = without loss of generality. 
Thus, the public-key-element (for any particular kernel-iteration j that we are considering) now 
looks like r copies of |0) + |1). 

6 In practice, no phase reference is perfect. But we can assume that it is arbitrarily good, which we call 
"perfect" . 

7 Thcre arc many different types of states that can serve as phase reference frames, the most popular type 
being an optical coherent state; see e.g. |10j . 
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3.3 Sufficiency of maximizing successful guessing probability 



The security of our protocol follows from a result of Bartlett et al. [TO], which concerns a slightly 
different problem for Eve than the problem of her trying to fool Bob. This different problem is 
for Eve to guess whether she has been given the system |0) + |1) or |0) — |1), where each case 
occurs with equal probability. The purpose of this section is to show that any good cheating 
strategy gives a good guessing strategy; we will show that an upper bound on the average 
successful guessing probability gives an upper bound on the cheating probability, so that, in 
order to prove security, it suffices to show that the maximum successful guessing probability is 
sufficiently small (which we will do in the next section). 

Any cheating strategy of Eve can be modeled as follows. Let 

|±):=|0>±|1). (17) 

Recall that Bob creates a system in the state |0) |1) + |1) |0) and that 

|0)|l) + |l)|0) = |+)|+)-|-)|-). (18) 

Eve's system before Bob sends one of his registers can be represented by which consists 
of the t copies of |0) + |1) as well as any ancillary registers (which we can assume are in the 
pure state |0)). Eve's (optimal) POVM can thus be modeled by a unitary operation Ue acting 
on her system (which now includes the register Bob sends), which transforms the state of the 
total system as follows: 

-^(\+)b\+)e-\-)b\-)e)\^)e^ Ub (19) 

4| (I+>b (« \°)e \^)e + P\1)b \^)e)- (20) 
\-)b{i\V)e\^)e + S\L)e\^i)e)), (21) 

so that the leftmost register of Eve's system encodes the measurement outcome. Bob's appli- 
cation of the Z gate conditioned on the value of the measurement outcome can be modeled by 
a controlled- Z gate, which will take the state of the total system to 

(\+)b (« \Q)e \^o)e - * \1)e \1>I)e) + (22) 
Hb^I^eI^e-iI^eI^e))- (23) 
Let r represent the density operator for this state after Eve's system has been traced out. The 
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probability that Bob's SWAP-test passes is easily calculated to be 



P_ = i±i^t> (24) 



2 

l + (|a| 2 + |5| 2 )/2 



(25) 
(26) 



Now, suppose Eve is faced with the different problem of guessing whether Bob gave her |+) 
or |— ), where each case occurs with probability 1/2. Since, as can be seen from the mapping 
in Line ([T9"j) . Ue maps 

\+) E \E) E ^ a \0) E \^) E + (3\l) E \^) E (27) 
\-)e\Z) e ^ Ue i\Q)e\tPo)e + S\1)e\^)e, (28) 

Eve can use the same procedure she used for her attack in order to guess which state Bob 
prepared: upon measuring her leftmost register, she guesses "|+)" if she gets outcome "0", and 
otherwise she guesses "|— )". The probability that she guesses successfully on average using 
this strategy is clearly 

P succ = - x Pr(outcome ="0"|Bob prepared |+)) + (29) 

- x Pr (outcome ="l"|Bob prepared |— )) (30) 
= (|«| 2 + |5| 2 )/2. (31) 

Thus, any upper bound on P succ gives an upper bound on P pass . 



3.4 Bounding the successful guessing probability 

Bartlett et al. [10] give an expression for the average successful guessing probability in terms 
of the state p of a general single-mode bounded phase reference frame. A single mode is 
mathematically modeled by C^, and a basis for this space is {|n) : n — 0, 1, . . . , N} (do not 
think of n as shorthand for the binary representation of n: \n) ^ \n\) \n2) ■ ■ ■ \n m ) for Uxn^ ■ • • n m 
the binary representation of integer n). Note that N can equal oo, but, for us, it will suffice 
to take N = t. We have implicitly assumed that Eve's bounded reference frame, consisting 
of t copies of |0) + |1), is a t-mode system, modeled by (C*)®*, but where we only ever used 
a two-dimensional subspace sp{|0) , |1)} of each mode. So that we may apply Bartlett et al.'s 
analysis, it suffices for us to show that Eve's multi-mode reference frame is unitarily equivalent 
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to a single-mode reference frame and that the unitary operation that relates the two is perfectly 
implementable by Eve. 

Recalling the definition following Line (Tl3]) . Eve's reference frame is in the state 




(|0> + |l>r = > A \Sl), (32) 



w=0 



where |S^,) is a t-mode state. Now we note that the transformation 

\St) ^ lO)^" 1 ^), for all w = 0,1,..., t, (33) 

where \w) is a single-mode state, can be completed on the vector space (C*)®* so that it is 
unitary and phase invariant^] Thus, Eve can carry out this transformation with no error. 
Therefore, we may assume that Eve's phase reference frame is in the state (described from the 
omniscient 's perspective) 



w)(w'\. (35) 



We are now ready to apply the result of Bartlett et al. [TO]. Using Equation (21) of their 
paper gives 




P 

1 succ 



j CO 

-^((m + l|p|m» (36) 

(37) 

which we can show to be in 1 — Q(l/t) (up to logarithmic factors) using some simple ap- 
proximations. Cheung [TT] has improved our asymptotic bound on this quantity by showing 




8 Dcfme the unitary re-phasing map U(6) on (C*)®* as the mapping 

K) \w 2 ) ■ ■ ■ \w t ) ^ e i ^ +W2+ - w ^ d \ Wl ) \w 2 ) ■ ■ ■ \w t ) (34) 

for any 6 and all wi = 0, 1, . . . , t, for I = 1, 2, . . . ,t. A unitary operation V on (C*)®' is said to be phase invariant 
if U(6)VU(6y = V for all 9. This, if V is phase invariant, Eve does not need any particular phase reference to 
perform V — she can use her own phase reference (defined by 4>e\ see Section |3~2|) . and the result will be the 
same as if Alice performed V using her own phase reference (defined by 4>a)- See Section II. B of Bartlett et al. 
[T3l for more details. 
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that 




m + 1 



t 



) 



< 1 - 



2(t+l) 2* +1 ' 



1 1 



(38) 



which implies 



succ _ 



< 1 



l/4(t+l). 



(39) 



It follows that 



P, 



pass _ 



< 1 



l/8(t+l), 



(40) 



which we recall is an upper bound on the probability that Bob's SWAP-test passes in any 
particular kernel-iteration, when Eve is acting as a dishonest prover and using t copies of the 
public key. Thus, as we showed at the beginning of Section I3TT1 the total probability that Eve 
causes all s of Bob's swAP-tests to pass is 



as claimed in Lines (jHJ) and This completes the proof of security of the protocol under the 
two simplifying assumptions mentioned at the beginning of Section [3j Next, we show how to 
remove these assumptions. 

3.5 Removing the simplifying assumptions 

Recall the two simplifying assumptions: (1) Eve never passively monitors any protocol instances 
between Alice and Bob, and (2) Eve never participates in the protocol as a verifier. With 
regard to the first assumption, note that Eve only sees uniformly random bits when passively 
monitoring any protocol instance between Alice and Bob, and thus does not gain any useful 
information in doing so. For the second assumption, note that Eve can at best extract one 
extra copy of the public key from Alice when Eve follows the verifier protocol honestly, for 
a maximum of r extra copies (recall Alice only participates in the protocol r times before 
refreshing her keys). Thus, it follows that, in order to modify the protocol so that it is (fully) 
honest- verifier secure, we just need to have Alice choose the private key x uniformly from 
the larger set [1, 2, . . . , 2r + 1] with corresponding public-key-element |0) + e 2mx /( 2r + 1 ) |]\; this 
ensures that Alice's private phase-angle looks to Bob and Eve like it was chosen uniformly from 
[0, 2tt) (recall Section \'S.l\i . For the corresponding modified analysis, we just need to assume 
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that Eve has r additional copies of the public key; ultimately, this only changes the constant 
in Line (imp from 8 to 16. Thus, the security of the modified protocol under the honest-verifier 
assumption is asymptotically equivalent (in terms of the relationship between r and s) to that 
of the original protocol under the two simplifying assumptions. 
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